cmd/snap-confine: Ensure snap-confine is allowed to access os-release #4182
Conversation
This dupes the existing rule and fixes a regression on Solus where we see a denial for the os-release file. Signed-off-by: Ikey Doherty <[email protected]>
|
Relevant journal issue: |
| @@ -213,6 +213,9 @@ | |||
| umount /var/lib/snapd/hostfs/proc/, | |||
| mount options=(rw rslave) -> /var/lib/snapd/hostfs/, | |||
|
|
|||
| # Allow reading the os-release file (possibly a symlink to /usr/lib). | |||
| /{etc/,usr/lib/}os-release r, | |||
There was a problem hiding this comment.
What puzzles me is why we did not notice this earlier, I think we have a missing (spread) test here :/
There was a problem hiding this comment.
+1
To explain why this was not caught before: this only affects core as the code in question assumes classic and only falls back to core if identified correctly (which didn't work).
On core treated as classic things will behave correctly because we will still set up the right mount namespace, just without reusing the boot layout.
The test relies on the "old" snapd-xdg-open deb package. However with the promotion of snapd 2.28.5 into xenial-updates the pervious snapd-xdg-open version 0.0.0~16.04 is no longer available to download. This means we can not run the test. Disable for now until we find a way to fix it.
Codecov Report
@@ Coverage Diff @@
## master #4182 +/- ##
==========================================
+ Coverage 75.53% 75.54% +<.01%
==========================================
Files 436 436
Lines 37811 37805 -6
==========================================
- Hits 28562 28559 -3
+ Misses 7253 7251 -2
+ Partials 1996 1995 -1
Continue to review full report at Codecov.
|
|
Ty for merge! :) |
This dupes the existing rule and fixes a regression on Solus where we
see a denial for the os-release file.
Signed-off-by: Ikey Doherty [email protected]